1*a71a9546SAutomerger Merge WorkerThis target alters the MSS value of TCP SYN packets, to control 2*a71a9546SAutomerger Merge Workerthe maximum size for that connection (usually limiting it to your 3*a71a9546SAutomerger Merge Workeroutgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). 4*a71a9546SAutomerger Merge WorkerOf course, it can only be used 5*a71a9546SAutomerger Merge Workerin conjunction with 6*a71a9546SAutomerger Merge Worker\fB\-p tcp\fP. 7*a71a9546SAutomerger Merge Worker.PP 8*a71a9546SAutomerger Merge WorkerThis target is used to overcome criminally braindead ISPs or servers 9*a71a9546SAutomerger Merge Workerwhich block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big" 10*a71a9546SAutomerger Merge Workerpackets. The symptoms of this 11*a71a9546SAutomerger Merge Workerproblem are that everything works fine from your Linux 12*a71a9546SAutomerger Merge Workerfirewall/router, but machines behind it can never exchange large 13*a71a9546SAutomerger Merge Workerpackets: 14*a71a9546SAutomerger Merge Worker.IP 1. 4 15*a71a9546SAutomerger Merge WorkerWeb browsers connect, then hang with no data received. 16*a71a9546SAutomerger Merge Worker.IP 2. 4 17*a71a9546SAutomerger Merge WorkerSmall mail works fine, but large emails hang. 18*a71a9546SAutomerger Merge Worker.IP 3. 4 19*a71a9546SAutomerger Merge Workerssh works fine, but scp hangs after initial handshaking. 20*a71a9546SAutomerger Merge Worker.PP 21*a71a9546SAutomerger Merge WorkerWorkaround: activate this option and add a rule to your firewall 22*a71a9546SAutomerger Merge Workerconfiguration like: 23*a71a9546SAutomerger Merge Worker.IP 24*a71a9546SAutomerger Merge Worker iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN 25*a71a9546SAutomerger Merge Worker \-j TCPMSS \-\-clamp\-mss\-to\-pmtu 26*a71a9546SAutomerger Merge Worker.TP 27*a71a9546SAutomerger Merge Worker\fB\-\-set\-mss\fP \fIvalue\fP 28*a71a9546SAutomerger Merge WorkerExplicitly sets MSS option to specified value. If the MSS of the packet is 29*a71a9546SAutomerger Merge Workeralready lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux 30*a71a9546SAutomerger Merge Worker2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS. 31*a71a9546SAutomerger Merge Worker.TP 32*a71a9546SAutomerger Merge Worker\fB\-\-clamp\-mss\-to\-pmtu\fP 33*a71a9546SAutomerger Merge WorkerAutomatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6). 34*a71a9546SAutomerger Merge WorkerThis may not function as desired where asymmetric routes with differing 35*a71a9546SAutomerger Merge Workerpath MTU exist \(em the kernel uses the path MTU which it would use to send 36*a71a9546SAutomerger Merge Workerpackets from itself to the source and destination IP addresses. Prior to 37*a71a9546SAutomerger Merge WorkerLinux 2.6.25, only the path MTU to the destination IP address was 38*a71a9546SAutomerger Merge Workerconsidered by this option; subsequent kernels also consider the path MTU 39*a71a9546SAutomerger Merge Workerto the source IP address. 40*a71a9546SAutomerger Merge Worker.PP 41*a71a9546SAutomerger Merge WorkerThese options are mutually exclusive. 42